If you have a custom authentication layer,
you may need to write your own IdentityAdapter.
Here's an example for an authentication system
where the user id is saved in the session (using beaker sessions):

Note also the contextual = True and determines = {...}
lines in the OwnerRoleProvider class.
These are optimization hints,
telling the system not to bother querying the RoleProvider
unless a context object is provided and one of the listed roles
is present in the query.
You can safely omit these lines,
in which case your RoleProvider will be called for every lookup.
Note RoleProviders can be called directly,
in which case these hints are ignored.
Your member_subset logic should still account for cases
where context is None, or where it is queried for other roles.

If you want to check for a single role,
the @role_decider decorator
is a convenient shortcut.
The OwnerRoleProvider might have been more concisely written as:

Custom unauthorized responses

By default KnaveMiddleware returns a minimal HTTP
401 Not Authorized response when encountering an Unauthorized exception.

You can change what action to take
when an by supplying an unauthorized_response argument
to KnaveMiddleware. This must be a WSGI app,
and as such can return any suitable response
(for example, redirecting to a login page):

If your RoleProvider or Predicate depends on information from the WSGI environ,
this is no longer directly supported. Your application must now explicitly pass
any context information required to evaluate roles or predicates in the
context argument.

Testing permissions now always requires an ACL object. Where in 0.2 you would
have written this: